# Vault-fix
vault-fix is a CLI utility and python package that helps exporting and importing secrets to and from [Vault] instances.
You can use this either to load fixture files for local development (its original purpose). Or to migrate data from
Vault instance to another, while secrets may be [encrypted](#Encrypting-output) and/or
[piped to another vault-fix instance](#Directing-data-to-the-load-command) so the data is not persisted.
## Historical context
vault-fix was created to address an issue with the default mode of [Vault instances in dev mode], for local development.
Vault will start with ephemeral storage, i.e. in-memory, mounting a volume will not make it persistent. If you want to
have persistent data, you'd have to provision a mount and a volume. However, this will make your local test environment
more stateful, which is not always desirable. Plus a normal Vault instance will can "seal" itself to protect itself
from attackers, which is not something you normally want to deal with during development.
Instead you may want to load a known fixture, containing a curated set of secrets that you don't want to manually set
every time you restarted vault. In other words, a fixture. This allows you to start from a clean slate every time you
test or debug. You can [automate the loading](#Using-vault-fix-as-a-Python-package) or dumping of secrets, and/or use
the CLI.
## Installation
```bash
pip install vault-fix
```
## Usage
Finding out how this works:
```bash
vault-fix --help
Usage: vault-fix [OPTIONS] COMMAND [ARGS]...
Load or dump data?
╭─ Options ───────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --install-completion Install completion for the current shell. │
│ --show-completion Show completion for the current shell, to copy it or customize the installation. │
│ --help Show this message and exit. │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ──────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ dump Load up, and dump secrets to and from Vault. │
│ load Load up, and dump secrets to and from Vault. │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
```
Specific to dumping fixtures:
```bash
vault-fix dump --help
Usage: vault-fix dump [OPTIONS] MOUNT PATH
Load up, and dump secrets to and from Vault.
╭─ Arguments ─────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ * mount TEXT Vault mount [default: None] [required] │
│ * path TEXT Vault path within the mount [default: None] [required] │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Options ───────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ * --token -t TEXT Vault access token. [default: None] [required] │
│ --host -H TEXT Vault hostname [default: localhost] │
│ --port -P INTEGER Vault network port. [default: 8200] │
│ --tls --no-tls Enable or disable TLS [default: tls] │
│ --verbose -v INTEGER Specify verbosity level by passing more 1 or more -v -vv │
│ -vvv's │
│ [default: 0] │
│ --file -f TEXT Output file, stdout if not specified [default: -] │
│ --password -p TEXT Password to encrypt the dumped fixture, or none for plain text │
│ output. │
│ --pretty --no-pretty Pretty print the output (if JSON formatted [default: pretty] │
│ --serializer [json|yaml] Which serializer do you prefer? [default=yaml] [default: yaml] │
│ --help Show this message and exit. │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
```
Specific to loading fixtures:
```bash
vault-fix load --help
Usage: vault-fix load [OPTIONS] MOUNT PATH
Load up, and dump secrets to and from Vault.
╭─ Arguments ─────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ * mount TEXT Vault mount [default: None] [required] │
│ * path TEXT Vault path within the mount [default: None] [required] │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Options ───────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ * --token -t TEXT Vault access token. [default: None] [required] │
│ --host -H TEXT Vault hostname [default: localhost] │
│ --port -P INTEGER Vault network port. [default: 8200] │
│ --tls --no-tls Enable or disable TLS [default: tls] │
│ --verbose -v INTEGER Specify verbosity level by passing more 1 or more -v -vv │
│ -vvv's │
│ [default: 0] │
│ --file -f TEXT Input file, assumes stdin if not specified [default: -] │
│ --password -p TEXT Password to decrypt the dumped fixture, or none for plain │
│ text input. │
│ --deserializer [json|yaml|auto] Which deserializer does the fixture file require? │
│ [default: auto] │
│ --help Show this message and exit. │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
```
## Examples
### Simple dump
Dump secrets from a locally running vault instance:
```bash
vault-fix dump secret / --no-tls
```
### Directing output
Output will be printed to stdout, you can specify `-f FILE` or direct output to a file, like:
```bash
vault-fix dump secret / --no-tls > my-fixture.yaml
```
### Encrypting output
If you want your secrets encrypted, pass `-p` to get a password prompt, or pass the password on the command line (not safe).
```bash
vault-fix dump secret / --no-tls -p
```
Only secrets will be encrypted, the paths will be in plain text.
### JSON instead of YAML
If you want your secrets dumped in JSON format instead of the default YAML format, pass `--serializer json`
```bash
vault-fix dump secret / --no-tls --serializer json
```
### Simple load
Load secrets from a file to a locally running vault instance:
```bash
vault-fix load secret / --no-tls -f my-fixture.json
```
If the fixture is encrypted, you need to pass the `-p` parameter, or you will get a runtime error.
### Directing data to the load command
Load secrets from a file to a locally running vault instance:
```bash
cat my-fixture.json | vault-fix load secret / --no-tls --deserializer json
```
Which brings us to this command, that allow you to migrate secrets between vault instances:
```bash
vault-fix dump secret / -H vault.dev.yourdomain.com | vault-fix load secret / --no-tls
```
## Using vault-fix as a Python package
One of the best things about this utility is that you can automatically load fixtures to a local vault dev server, e.g.
during application startup.
```python
from hvac import Client
from vault_fix.load import load_fixture_from_file
from vault_fix.serializers.yaml import yaml_deserializer
# Vault docker container running on your local machine in dev mode, with ephemeral storage.
# Assuming the following defaults
VAULT_ADDR = "http://vault:8200"
VAULT_TOKEN = "root"
VAULT_TLS_ENABLED = False
VAULT_MOUNT = "secret"
FIXTURE_PATH = "../vault_fixture_local_dev.yaml"
def load_vault_secrets() -> None:
print(f"Attempting to import vault fixture from {FIXTURE_PATH}")
client = Client(url=VAULT_ADDR, token=VAULT_TOKEN, verify=VAULT_TLS_ENABLED)
try:
with open(FIXTURE_PATH, "rt") as fixture_fh:
load_fixture_from_file(
hvac=client, fixture=fixture_fh, mount_point=VAULT_MOUNT, deserializer=yaml_deserializer
)
print(f"Imported vault fixture from {FIXTURE_PATH}")
except OSError:
print(f"Can't read fixture file from {FIXTURE_PATH}")
```
### Other good to knows
- The path parameter specifies the path in the vault server you want to dump.
Or the path you would like to load to a server from the fixture file. Meaning you can select a subset of secrets to
dump or load from servers or fixtures respectively.
- vault-fix does not dump or import metadata, including previous versions of secrets.
## Hacking on this utility
Checkout the project, make a virtual env with hatch and install dependencies.
```bash
git checkout git@github.com:SnijderC/vault-fix.git
cd vault-fix
pre-commit install
pip install hatch
hatch shell
```
### Running tests
If you're in a hatch shell, exit it first, then:
```bash
hatch run test:pytest
```
This will test vault-fix against Python 3.9 - 3.11. If you don't have all of those, they will be skipped. You can
install them with [pyenv](https://github.com/pyenv/pyenv#installation):
```bash
pyenv install 3.9 3.10 3.11
```
[Vault]: https://www.vaultproject.io/
[Vault instances in dev mode]: https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dev-server#starting-the-dev-server
Raw data
{
"_id": null,
"home_page": null,
"name": "vault-fix",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": null,
"keywords": "fixture, hasicorp, migration, testing, vault",
"author": null,
"author_email": "Chris Snijder <github@chrissnijder.nl>",
"download_url": "https://files.pythonhosted.org/packages/e3/8f/95114b0f0b5a82fb25b7416160615326298fe1a5c555a12701aadd6c2559/vault_fix-1.4.0.tar.gz",
"platform": null,
"description": "# Vault-fix\n\nvault-fix is a CLI utility and python package that helps exporting and importing secrets to and from [Vault] instances.\nYou can use this either to load fixture files for local development (its original purpose). Or to migrate data from\nVault instance to another, while secrets may be [encrypted](#Encrypting-output) and/or\n[piped to another vault-fix instance](#Directing-data-to-the-load-command) so the data is not persisted.\n\n## Historical context\n\nvault-fix was created to address an issue with the default mode of [Vault instances in dev mode], for local development.\nVault will start with ephemeral storage, i.e. in-memory, mounting a volume will not make it persistent. If you want to\nhave persistent data, you'd have to provision a mount and a volume. However, this will make your local test environment\nmore stateful, which is not always desirable. Plus a normal Vault instance will can \"seal\" itself to protect itself\nfrom attackers, which is not something you normally want to deal with during development.\n\nInstead you may want to load a known fixture, containing a curated set of secrets that you don't want to manually set\nevery time you restarted vault. In other words, a fixture. This allows you to start from a clean slate every time you\ntest or debug. You can [automate the loading](#Using-vault-fix-as-a-Python-package) or dumping of secrets, and/or use\nthe CLI.\n\n## Installation\n\n```bash\npip install vault-fix\n```\n\n## Usage\n\nFinding out how this works:\n\n```bash\nvault-fix --help\n\n Usage: vault-fix [OPTIONS] COMMAND [ARGS]...\n\n Load or dump data?\n\n\u256d\u2500 Options \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 --install-completion Install completion for the current shell. \u2502\n\u2502 --show-completion Show completion for the current shell, to copy it or customize the installation. \u2502\n\u2502 --help Show this message and exit. \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n\u256d\u2500 Commands \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 dump Load up, and dump secrets to and from Vault. \u2502\n\u2502 load Load up, and dump secrets to and from Vault. \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n```\n\nSpecific to dumping fixtures:\n\n```bash\nvault-fix dump --help\n\n Usage: vault-fix dump [OPTIONS] MOUNT PATH\n\n Load up, and dump secrets to and from Vault.\n\n\u256d\u2500 Arguments \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 * mount TEXT Vault mount [default: None] [required] \u2502\n\u2502 * path TEXT Vault path within the mount [default: None] [required] \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n\u256d\u2500 Options \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 * --token -t TEXT Vault access token. [default: None] [required] \u2502\n\u2502 --host -H TEXT Vault hostname [default: localhost] \u2502\n\u2502 --port -P INTEGER Vault network port. [default: 8200] \u2502\n\u2502 --tls --no-tls Enable or disable TLS [default: tls] \u2502\n\u2502 --verbose -v INTEGER Specify verbosity level by passing more 1 or more -v -vv \u2502\n\u2502 -vvv's \u2502\n\u2502 [default: 0] \u2502\n\u2502 --file -f TEXT Output file, stdout if not specified [default: -] \u2502\n\u2502 --password -p TEXT Password to encrypt the dumped fixture, or none for plain text \u2502\n\u2502 output. \u2502\n\u2502 --pretty --no-pretty Pretty print the output (if JSON formatted [default: pretty] \u2502\n\u2502 --serializer [json|yaml] Which serializer do you prefer? [default=yaml] [default: yaml] \u2502\n\u2502 --help Show this message and exit. \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n```\n\nSpecific to loading fixtures:\n\n```bash\nvault-fix load --help\n\n Usage: vault-fix load [OPTIONS] MOUNT PATH\n\n Load up, and dump secrets to and from Vault.\n\n\u256d\u2500 Arguments \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 * mount TEXT Vault mount [default: None] [required] \u2502\n\u2502 * path TEXT Vault path within the mount [default: None] [required] \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n\u256d\u2500 Options \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 * --token -t TEXT Vault access token. [default: None] [required] \u2502\n\u2502 --host -H TEXT Vault hostname [default: localhost] \u2502\n\u2502 --port -P INTEGER Vault network port. [default: 8200] \u2502\n\u2502 --tls --no-tls Enable or disable TLS [default: tls] \u2502\n\u2502 --verbose -v INTEGER Specify verbosity level by passing more 1 or more -v -vv \u2502\n\u2502 -vvv's \u2502\n\u2502 [default: 0] \u2502\n\u2502 --file -f TEXT Input file, assumes stdin if not specified [default: -] \u2502\n\u2502 --password -p TEXT Password to decrypt the dumped fixture, or none for plain \u2502\n\u2502 text input. \u2502\n\u2502 --deserializer [json|yaml|auto] Which deserializer does the fixture file require? \u2502\n\u2502 [default: auto] \u2502\n\u2502 --help Show this message and exit. \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n```\n\n## Examples\n\n### Simple dump\n\nDump secrets from a locally running vault instance:\n\n```bash\nvault-fix dump secret / --no-tls\n```\n\n### Directing output\n\nOutput will be printed to stdout, you can specify `-f FILE` or direct output to a file, like:\n\n```bash\nvault-fix dump secret / --no-tls > my-fixture.yaml\n```\n\n### Encrypting output\n\nIf you want your secrets encrypted, pass `-p` to get a password prompt, or pass the password on the command line (not safe).\n\n```bash\nvault-fix dump secret / --no-tls -p\n```\n\nOnly secrets will be encrypted, the paths will be in plain text.\n\n### JSON instead of YAML\n\nIf you want your secrets dumped in JSON format instead of the default YAML format, pass `--serializer json`\n\n```bash\nvault-fix dump secret / --no-tls --serializer json\n```\n\n### Simple load\n\nLoad secrets from a file to a locally running vault instance:\n\n```bash\nvault-fix load secret / --no-tls -f my-fixture.json\n```\n\nIf the fixture is encrypted, you need to pass the `-p` parameter, or you will get a runtime error.\n\n### Directing data to the load command\n\nLoad secrets from a file to a locally running vault instance:\n\n```bash\ncat my-fixture.json | vault-fix load secret / --no-tls --deserializer json\n```\n\nWhich brings us to this command, that allow you to migrate secrets between vault instances:\n\n```bash\nvault-fix dump secret / -H vault.dev.yourdomain.com | vault-fix load secret / --no-tls\n```\n\n## Using vault-fix as a Python package\n\nOne of the best things about this utility is that you can automatically load fixtures to a local vault dev server, e.g.\nduring application startup.\n\n```python\nfrom hvac import Client\nfrom vault_fix.load import load_fixture_from_file\nfrom vault_fix.serializers.yaml import yaml_deserializer\n\n# Vault docker container running on your local machine in dev mode, with ephemeral storage.\n# Assuming the following defaults\nVAULT_ADDR = \"http://vault:8200\"\nVAULT_TOKEN = \"root\"\nVAULT_TLS_ENABLED = False\nVAULT_MOUNT = \"secret\"\nFIXTURE_PATH = \"../vault_fixture_local_dev.yaml\"\n\ndef load_vault_secrets() -> None:\n print(f\"Attempting to import vault fixture from {FIXTURE_PATH}\")\n client = Client(url=VAULT_ADDR, token=VAULT_TOKEN, verify=VAULT_TLS_ENABLED)\n try:\n with open(FIXTURE_PATH, \"rt\") as fixture_fh:\n load_fixture_from_file(\n hvac=client, fixture=fixture_fh, mount_point=VAULT_MOUNT, deserializer=yaml_deserializer\n )\n print(f\"Imported vault fixture from {FIXTURE_PATH}\")\n except OSError:\n print(f\"Can't read fixture file from {FIXTURE_PATH}\")\n```\n\n### Other good to knows\n\n- The path parameter specifies the path in the vault server you want to dump.\n Or the path you would like to load to a server from the fixture file. Meaning you can select a subset of secrets to\n dump or load from servers or fixtures respectively.\n- vault-fix does not dump or import metadata, including previous versions of secrets.\n\n## Hacking on this utility\n\nCheckout the project, make a virtual env with hatch and install dependencies.\n\n```bash\ngit checkout git@github.com:SnijderC/vault-fix.git\ncd vault-fix\npre-commit install\npip install hatch\nhatch shell\n```\n\n### Running tests\n\nIf you're in a hatch shell, exit it first, then:\n\n```bash\nhatch run test:pytest\n```\n\nThis will test vault-fix against Python 3.9 - 3.11. If you don't have all of those, they will be skipped. You can\ninstall them with [pyenv](https://github.com/pyenv/pyenv#installation):\n\n```bash\npyenv install 3.9 3.10 3.11\n```\n\n[Vault]: https://www.vaultproject.io/\n[Vault instances in dev mode]: https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dev-server#starting-the-dev-server\n",
"bugtrack_url": null,
"license": "Copyright 2023 Chris Snijder Licensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.",
"summary": "Tool for importing and exporting vault fixture files to and from vault dev mode instances.",
"version": "1.4.0",
"project_urls": {
"Homepage": "https://github.com/SnijderC/vault-fixtures"
},
"split_keywords": [
"fixture",
" hasicorp",
" migration",
" testing",
" vault"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "3f55386c4060e42a59bba6f932fe649c07b83992e42419f779eeb367041ee7d3",
"md5": "035a699129fb590004ba48bba2cb8963",
"sha256": "8c7c608e931bc100ec11a7ba7d93537b51df4af9b5e2998c42c6343b75257eb3"
},
"downloads": -1,
"filename": "vault_fix-1.4.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "035a699129fb590004ba48bba2cb8963",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 16268,
"upload_time": "2024-05-01T13:34:59",
"upload_time_iso_8601": "2024-05-01T13:34:59.355144Z",
"url": "https://files.pythonhosted.org/packages/3f/55/386c4060e42a59bba6f932fe649c07b83992e42419f779eeb367041ee7d3/vault_fix-1.4.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "e38f95114b0f0b5a82fb25b7416160615326298fe1a5c555a12701aadd6c2559",
"md5": "3a897f2014ccdd803fd3940d28a73231",
"sha256": "485d037afdefac979138961d01ebb5fb2ff34aa91b14250f8861eb34ab946ef7"
},
"downloads": -1,
"filename": "vault_fix-1.4.0.tar.gz",
"has_sig": false,
"md5_digest": "3a897f2014ccdd803fd3940d28a73231",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 17752,
"upload_time": "2024-05-01T13:35:01",
"upload_time_iso_8601": "2024-05-01T13:35:01.116768Z",
"url": "https://files.pythonhosted.org/packages/e3/8f/95114b0f0b5a82fb25b7416160615326298fe1a5c555a12701aadd6c2559/vault_fix-1.4.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-05-01 13:35:01",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "SnijderC",
"github_project": "vault-fixtures",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "vault-fix"
}
JSON
